Did you try what Adam is suggesting in the earlier email. Also to
quickly check you can try remove keystore and key.password configs from
client side.
-Harsha

On Thu, Feb 18, 2016, at 02:49 PM, Srikrishna Alla wrote:
> Hi,
> 
> We are getting the below error when trying to use a Java new producer
> client. Please let us know the reason for this error -
> 
> Error message:
> [2016-02-18 15:41:06,182] DEBUG Accepted connection from /10.**.***.** on
> /10.**.***.**:9093. sendBufferSize [actual|requested]: [102400|102400]
> recvBufferSize [actual|requested]: [102400|102400]
> (kafka.network.Acceptor)
> [2016-02-18 15:41:06,183] DEBUG Processor 1 listening to new connection
> from /10.**.**.**:46419 (kafka.network.Processor)
> [2016-02-18 15:41:06,283] DEBUG SSLEngine.closeInBound() raised an
> exception. (org.apache.kafka.common.network.SslTransportLayer)
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
>   at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>   at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
>   at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
>   at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1537)
>   at
>   
> org.apache.kafka.common.network.SslTransportLayer.handshakeFailure(SslTransportLayer.java:723)
>   at
>   
> org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:313)
>   at
>   org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:68)
>   at org.apache.kafka.common.network.Selector.poll(Selector.java:281)
>   at kafka.network.Processor.run(SocketServer.scala:413)
>   at java.lang.Thread.run(Thread.java:722)
> [2016-02-18 15:41:06,283] DEBUG Connection with
> l************.com/10.**.**.** disconnected
> (org.apache.kafka.common.network.Selector)
> javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
> connection?
>   at
>   
> sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:171)
>   at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845)
>   at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
>   at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>   at
>   
> org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:408)
>   at
>   
> org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:269)
>   at
>   org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:68)
>   at org.apache.kafka.common.network.Selector.poll(Selector.java:281)
>   at kafka.network.Processor.run(SocketServer.scala:413)
>   at java.lang.Thread.run(Thread.java:722)
> 
> Producer Java client code:
>                 System.setProperty("javax.net.debug","ssl:handshake:verbose");
>                Properties props = new Properties();
>                props.put("bootstrap.servers", "************.com:9093");
>                props.put("acks", "all");
>                props.put("retries", "0");
>                props.put("batch.size", "16384");
>                props.put("linger.ms", "1");
>                props.put("buffer.memory", "33554432");
>                props.put("key.serializer",
>                "org.apache.kafka.common.serialization.StringSerializer");
>                props.put("value.serializer",
>                "org.apache.kafka.common.serialization.StringSerializer");
>                props.put("security.protocol", "SSL");
>                props.put("ssl.protocal", "SSL");
>                props.put("ssl.truststore.location",
>                "/idn/home/salla8/ssl/kafka_client_truststore.jks");
>                props.put("ssl.truststore.password", "p@ssw0rd");
>                props.put("ssl.keystore.location",
>                "/idn/home/salla8/ssl/kafka_client_keystore.jks");
>                props.put("ssl.keystore.password", "p@ssw0rd");
>                props.put("ssl.key.password", "p@ssw0rd");
>                Producer<String, String> producer = new
>                KafkaProducer<String, String>(props);
> 
> 
> Configuration -server.properties:
> broker.id=0
> listeners=SSL://:9093
> num.network.threads=3
> num.io.threads=8
> socket.send.buffer.bytes=102400
> socket.receive.buffer.bytes=102400
> socket.request.max.bytes=104857600
> security.inter.broker.protocol=SSL
> ssl.keystore.location=/opt/kafka_2.11-0.9.0.0/config/ssl/kafka.server.keystore.jks
> ssl.keystore.password=p@ssw0rd
> ssl.key.password=p@ssw0rd
> ssl.truststore.location=/opt/kafka_2.11-0.9.0.0/config/ssl/kafka.server.truststore.jks
> ssl.truststore.password=p@ssw0rd
> ssl.client.auth=required
> log.dirs=/tmp/kafka-logs
> num.partitions=1
> num.recovery.threads.per.data.dir=1
> log.retention.hours=168
> log.segment.bytes=1073741824
> log.retention.check.interval.ms=300000
> log.cleaner.enable=false
> zookeeper.connect=*********:5181/test900
> zookeeper.connection.timeout.ms=6000
> 
> 
> Logs - kafkaServer.out:
> [2016-02-17 08:58:00,226] INFO KafkaConfig values:
>                request.timeout.ms = 30000
>                log.roll.hours = 168
>                inter.broker.protocol.version = 0.9.0.X
>                log.preallocate = false
>                security.inter.broker.protocol = SSL
>                controller.socket.timeout.ms = 30000
>                ssl.keymanager.algorithm = SunX509
>                ssl.key.password = null
>                log.cleaner.enable = false
>                num.recovery.threads.per.data.dir = 1
>                background.threads = 10
>                unclean.leader.election.enable = true
>                sasl.kerberos.kinit.cmd = /usr/bin/kinit
>                replica.lag.time.max.ms = 10000
>                ssl.endpoint.identification.algorithm = null
>                auto.create.topics.enable = true
>                zookeeper.sync.time.ms = 2000
>                ssl.client.auth = required
>                ssl.keystore.password = [hidden]
>                log.cleaner.io.buffer.load.factor = 0.9
>                offsets.topic.compression.codec = 0
>                log.retention.hours = 168
>                ssl.protocol = TLS
>                log.dirs = /tmp/kafka-logs
>                log.index.size.max.bytes = 10485760
>                sasl.kerberos.min.time.before.relogin = 60000
>                log.retention.minutes = null
>                connections.max.idle.ms = 600000
>                ssl.trustmanager.algorithm = PKIX
>                offsets.retention.minutes = 1440
>                max.connections.per.ip = 2147483647
>                replica.fetch.wait.max.ms = 500
>                metrics.num.samples = 2
>                port = 9092
>                offsets.retention.check.interval.ms = 600000
>                log.cleaner.dedupe.buffer.size = 524288000
>                log.segment.bytes = 1073741824
>                group.min.session.timeout.ms = 6000
>                producer.purgatory.purge.interval.requests = 1000
>                min.insync.replicas = 1
>                ssl.truststore.password = [hidden]
>                log.flush.scheduler.interval.ms = 9223372036854775807
>                socket.receive.buffer.bytes = 102400
>                leader.imbalance.per.broker.percentage = 10
>                num.io.threads = 8
>                offsets.topic.replication.factor = 3
>                zookeeper.connect = lpdbd0055:5181/test900
>                queued.max.requests = 500
>                replica.socket.timeout.ms = 30000
>                offsets.topic.segment.bytes = 104857600
>                replica.high.watermark.checkpoint.interval.ms = 5000
>                broker.id = 0
>                ssl.keystore.location =
>                /opt/kafka_2.11-0.9.0.0/config/ssl/keystore.jks
>                listeners = SSL://:9093
>                log.flush.interval.messages = 9223372036854775807
>                principal.builder.class = class
>                org.apache.kafka.common.security.auth.DefaultPrincipalBuilder
>                log.retention.ms = null
>                offsets.commit.required.acks = -1
>                sasl.kerberos.principal.to.local.rules = [DEFAULT]
>                group.max.session.timeout.ms = 30000
>                num.replica.fetchers = 1
>                advertised.listeners = null
>                replica.socket.receive.buffer.bytes = 65536
>                delete.topic.enable = false
>                log.index.interval.bytes = 4096
>                metric.reporters = []
>                compression.type = producer
>                log.cleanup.policy = delete
>                controlled.shutdown.max.retries = 3
>                log.cleaner.threads = 1
>                quota.window.size.seconds = 1
>                zookeeper.connection.timeout.ms = 6000
>                offsets.load.buffer.size = 5242880
>                zookeeper.session.timeout.ms = 6000
>                ssl.cipher.suites = null
>                authorizer.class.name =
>                sasl.kerberos.ticket.renew.jitter = 0.05
>                sasl.kerberos.service.name = null
>                controlled.shutdown.enable = true
>                offsets.topic.num.partitions = 50
>                quota.window.num = 11
>                message.max.bytes = 1000012
>                log.cleaner.backoff.ms = 15000
>                log.roll.jitter.hours = 0
>                log.retention.check.interval.ms = 300000
>                replica.fetch.max.bytes = 1048576
>                log.cleaner.delete.retention.ms = 86400000
>                fetch.purgatory.purge.interval.requests = 1000
>                log.cleaner.min.cleanable.ratio = 0.5
>                offsets.commit.timeout.ms = 5000
>                zookeeper.set.acl = false
>                log.retention.bytes = -1
>                offset.metadata.max.bytes = 4096
>                leader.imbalance.check.interval.seconds = 300
>                quota.consumer.default = 9223372036854775807
>                log.roll.jitter.ms = null
>                reserved.broker.max.id = 1000
>                replica.fetch.backoff.ms = 1000
>                advertised.host.name = null
>                quota.producer.default = 9223372036854775807
>                log.cleaner.io.buffer.size = 524288
>                controlled.shutdown.retry.backoff.ms = 5000
>                log.dir = /tmp/kafka-logs
>                log.flush.offset.checkpoint.interval.ms = 60000
>                log.segment.delete.delay.ms = 60000
>                num.partitions = 1
>                num.network.threads = 3
>                socket.request.max.bytes = 104857600
>                sasl.kerberos.ticket.renew.window.factor = 0.8
>                log.roll.ms = null
>                ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
>                socket.send.buffer.bytes = 102400
>                log.flush.interval.ms = null
>                ssl.truststore.location =
>                /opt/kafka_2.11-0.9.0.0/config/ssl/truststore.jks
>                log.cleaner.io.max.bytes.per.second =
>                1.7976931348623157E308
>                default.replication.factor = 1
>                metrics.sample.window.ms = 30000
>                auto.leader.rebalance.enable = true
>                host.name =
>                ssl.truststore.type = JKS
>                advertised.port = null
>                max.connections.per.ip.overrides =
>                replica.fetch.min.bytes = 1
>                ssl.keystore.type = JKS
> (kafka.server.KafkaConfig)
>  Thanks,
> Sri
> 
> 
> 
> American Express made the following annotations
> ******************************************************************************
> "This message and any attachments are solely for the intended recipient
> and may contain confidential or privileged information. If you are not
> the intended recipient, any disclosure, copying, use, or distribution of
> the information included in this message and any attachments is
> prohibited. If you have received this communication in error, please
> notify us by reply e-mail and immediately and permanently delete this
> message and any attachments. Thank you."
> 
> American Express a ajouté le commentaire suivant le Ce courrier et toute
> pièce jointe qu'il contient sont réservés au seul destinataire indiqué et
> peuvent renfermer des 
> renseignements confidentiels et privilégiés. Si vous n'êtes pas le
> destinataire prévu, toute divulgation, duplication, utilisation ou
> distribution du courrier ou de toute pièce jointe est interdite. Si vous
> avez reçu cette communication par erreur, veuillez nous en aviser par
> courrier et détruire immédiatement le courrier et les pièces jointes.
> Merci.
> 
> ******************************************************************************

Reply via email to